FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-30-2010, 05:06 PM
 
Default DNSSEC

Well, folks,

There's an article on slashdot,
<http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>

Excerpt:
...the coming milestone of May 5, at 17:00 UTC ? at this time DNSSEC will
be rolled out across all 13 root servers. Some Internet users, especially
those inside corporations and behind smaller ISPs, may experience
intermittent problems. The reason is that some older networking equipment
is pre-configured to block any reply to a DNS request that exceeds 512
bytes in size. DNSSEC replies are typically four times as large.
--- end excerpt ---

I followed the link from the story to
<https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
organization, and tried their test (as root):
dig +short rs.dns-oarc.net txt

And see that where I work, we're not ready. Is anyone following this,
and/or have a HOWTO on enabling it for CentOS?

mark (need to check this at home, too)

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-30-2010, 05:18 PM
Drew Weaver
 
Default DNSSEC

Hi,

It's enabled by default if BIND is the right version nothing needs to be done.

I found it kind of sad that the version of BIND that comes with the latest version of CentOS 4 is so old that it doesn't support DNSSEC.

thanks,
-Drew
XLHost.com
-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us
Sent: Friday, April 30, 2010 1:07 PM
To: CentOS mailing list
Subject: [CentOS] DNSSEC

Well, folks,

There's an article on slashdot,
<http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>

Excerpt:
...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will
be rolled out across all 13 root servers. Some Internet users, especially
those inside corporations and behind smaller ISPs, may experience
intermittent problems. The reason is that some older networking equipment
is pre-configured to block any reply to a DNS request that exceeds 512
bytes in size. DNSSEC replies are typically four times as large.
--- end excerpt ---

I followed the link from the story to
<https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
organization, and tried their test (as root):
dig +short rs.dns-oarc.net txt

And see that where I work, we're not ready. Is anyone following this,
and/or have a HOWTO on enabling it for CentOS?

mark (need to check this at home, too)

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-30-2010, 06:44 PM
 
Default DNSSEC

Drew wrote:

> Behalf Of m.roth@5-cent.us
> Sent: Friday, April 30, 2010 1:07 PM
>
>> There's an article on slashdot,
>> <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>
>
>> Excerpt:
>> ...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will
>> be rolled out across all 13 root servers. Some Internet users, especially
>> those inside corporations and behind smaller ISPs, may experience
>> intermittent problems. The reason is that some older networking equipment
>> is pre-configured to block any reply to a DNS request that exceeds 512
>> bytes in size. DNSSEC replies are typically four times as large.
>> --- end excerpt ---
>
>> I followed the link from the story to
>> <https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
>> organization, and tried their test (as root):
>> dig +short rs.dns-oarc.net txt
>
>> And see that where I work, we're not ready. Is anyone following this,
>> and/or have a HOWTO on enabling it for CentOS?
>
>> It's enabled by default if BIND is the right version nothing needs to be
>> done.
>
> I found it kind of sad that the version of BIND that comes with the latest
> version of CentOS 4 is so old that it doesn't support DNSSEC.

So it doesn't look like our servers run bind; it's the network folks.... I
wonder if my boss should contact them....

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-01-2010, 11:18 PM
Nataraj
 
Default DNSSEC

m.roth@5-cent.us wrote:
> Well, folks,
>
> There's an article on slashdot,
> <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>
>
> Excerpt:
> ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will
> be rolled out across all 13 root servers. Some Internet users, especially
> those inside corporations and behind smaller ISPs, may experience
> intermittent problems. The reason is that some older networking equipment
> is pre-configured to block any reply to a DNS request that exceeds 512
> bytes in size. DNSSEC replies are typically four times as large.
> --- end excerpt ---
>
> I followed the link from the story to
> <https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
> organization, and tried their test (as root):
> dig +short rs.dns-oarc.net txt
>
> And see that where I work, we're not ready. Is anyone following this,
> and/or have a HOWTO on enabling it for CentOS?
>
> mark (need to check this at home, too)
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Thank you for this warning. CentOS 5.4 does support this correctly,
however I see that there are lots of ISPs out there with servers that do
not. In an emergency you can point your systems at the free google dns,
which appear not to support it, but according to the google technical
staff they actually do as can be seen by the following query...
http://code.google.com/speed/public-dns/

dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt
rst.x1247.rs.dns-oarc.net.
rst.x1257.x1247.rs.dns-oarc.net.
rst.x1228.x1257.x1247.rs.dns-oarc.net.
"74.125.154.94 DNS reply size limit is at least 1257"
"74.125.154.94 sent EDNS buffer size 1280"
"Tested at 2010-05-01 23:10:20 UTC"


Nataraj


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-02-2010, 11:13 PM
Nataraj
 
Default DNSSEC

Nataraj wrote:
> m.roth@5-cent.us wrote:
>
>> Well, folks,
>>
>> There's an article on slashdot,
>> <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234>
>>
>> Excerpt:
>> ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will
>> be rolled out across all 13 root servers. Some Internet users, especially
>> those inside corporations and behind smaller ISPs, may experience
>> intermittent problems. The reason is that some older networking equipment
>> is pre-configured to block any reply to a DNS request that exceeds 512
>> bytes in size. DNSSEC replies are typically four times as large.
>> --- end excerpt ---
>>
>> I followed the link from the story to
>> <https://www.dns-oarc.net/oarc/services/replysizetest>, a coordinating
>> organization, and tried their test (as root):
>> dig +short rs.dns-oarc.net txt
>>
>> And see that where I work, we're not ready. Is anyone following this,
>> and/or have a HOWTO on enabling it for CentOS?
>>
>> mark (need to check this at home, too)
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
> Thank you for this warning. CentOS 5.4 does support this correctly,
> however I see that there are lots of ISPs out there with servers that do
> not. In an emergency you can point your systems at the free google dns,
> which appear not to support it, but according to the google technical
> staff they actually do as can be seen by the following query...
> http://code.google.com/speed/public-dns/
>
> dig @8.8.8.8 +dnssec +short rs.dns-oarc.net txt
> rst.x1247.rs.dns-oarc.net.
> rst.x1257.x1247.rs.dns-oarc.net.
> rst.x1228.x1257.x1247.rs.dns-oarc.net.
> "74.125.154.94 DNS reply size limit is at least 1257"
> "74.125.154.94 sent EDNS buffer size 1280"
> "Tested at 2010-05-01 23:10:20 UTC"
>
>
> Nataraj
>
>
> _______________________________________________
> CentOS mailing list192.168.10.131
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
A further update on this... It appears that there are a number of DNS
servers, particularly some of the caching servers run by ISP's which do
not implement DNSSEC, but will still work after 5/5. So the published
tests are not necessarily conclusive. Not that it is great that these
implementation lack DNSSEC, though some of them are working on it. One
example is powerdns.... See the following urls for statements regarding
the ability of these servers to function after 5/5.

http://mailman.powerdns.com/pipermail/pdns-users/2010-March/006610.html
http://mailman.powerdns.com/pipermail/pdns-users/2010-April/006674.html

Nataraj

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-08-2010, 03:21 PM
James
 
Default DNSSEC

Hello,

Several times in the past, I have approached
setting up DNS servers, only to get side-tracked.
I'm making another stab as setting my DNS
servers for my humble, small cidr (/29) block.

Now it seems DNSSEC is all the rage, even
at the root servers [1].

So what am i to choose to effect DNSSEC on gentoo?
Hardware suggestions on low power (5-10 watts) (embedded)
hardware with Gentoo are welcome.

net-dns/unbound (portage) [2]
bind9 (portage)
nsd (?)
opendnssec (sunrise overlay)
???

Googling and research has led me to reading
quite a lot of interesting, but fragmented
thoughts on the subject of DNSSEC and gentoo.

Any discussion or guidance is appreciated.

[1] http://www.root-dnssec.org/
[2] http://www.unbound.net/documentation/howto_anchor.html
[3] https://svn.whyscream.net/whyscream-overlay/sunrise-dev/net-dns/
[4]http://gentoo-overlays.zugaina.org/sunrise/net-dns.html.en

[] https://www.dnssec-tools.org/wiki/index.php/Tutorials
 
Old 11-08-2010, 04:07 PM
Alan McKinnon
 
Default DNSSEC

Apparently, though unproven, at 18:21 on Monday 08 November 2010, James did
opine thusly:

> Hello,
>
> Several times in the past, I have approached
> setting up DNS servers, only to get side-tracked.
> I'm making another stab as setting my DNS
> servers for my humble, small cidr (/29) block.

Don't take this the wrong way, but you probably don't want to go this route
right now.

Your questions and statements indicate that you do not know much about DNSSEC
and probably not DNS itself either. DNS is not trivial, regardless of what
anyone tells you. DNSSEC less so. This is a topic best left to groups that do
it all day every day, the hobbyist approach isn't what you want.

How do I know this? Well, I have 7 years of DNS support tickets I can trawl
through :-) The number of mistakes made by clients, the number of silly
requests they make and the sheer amount of misinformation about how DNS works
is unbelievable. By contrast, there's no record of my team (who admin the
servers) making any mistakes, ever. And the fellow who sits next to me (and
signs off on my performance review) just signed the .za zone. I watched him, I
know how non-trivial it is :-)

Play with DNSSEC by all means if it intrigues you. If you get it right easily,
you can write a wiki page that helps others immensely. But just be informed
upfront about what it's going to take.




>
> Now it seems DNSSEC is all the rage, even
> at the root servers [1].
>
> So what am i to choose to effect DNSSEC on gentoo?
> Hardware suggestions on low power (5-10 watts) (embedded)
> hardware with Gentoo are welcome.
>
> net-dns/unbound (portage) [2]
> bind9 (portage)
> nsd (?)
> opendnssec (sunrise overlay)
> ???
>
> Googling and research has led me to reading
> quite a lot of interesting, but fragmented
> thoughts on the subject of DNSSEC and gentoo.
>
> Any discussion or guidance is appreciated.
>
> [1] http://www.root-dnssec.org/
> [2] http://www.unbound.net/documentation/howto_anchor.html
> [3] https://svn.whyscream.net/whyscream-overlay/sunrise-dev/net-dns/
> [4]http://gentoo-overlays.zugaina.org/sunrise/net-dns.html.en
>
> [] https://www.dnssec-tools.org/wiki/index.php/Tutorials

--
alan dot mckinnon at gmail dot com
 
Old 11-08-2010, 04:23 PM
James
 
Default DNSSEC

Alan McKinnon <alan.mckinnon <at> gmail.com> writes:


> I know how non-trivial it is

FABULOUS!!!!!!!!!!!!!!!!!!!

With several Domain names, I'll just let the local
ISP resolve one and I'll set up servers to resolv
the other(s) and pull the cables if necessary.
Lots of physical partitioning on my little
net and nothing that can't be taken off line
as needed. Besides that the purpose of this little
net, is to have FUN with SECURITY!!!!!!!!

Ah, yes, I'll need to update some of my transparent
bridges to glean(parse) various (new)traffic streams.
(any suggestions there?)


> you can write a wiki page that helps others immensely.
> But just be informed upfront about what it's going to take.

wink wink, nudge nudge. OK.
;-)

I'm not unfamiliar with it, just rusty (bout 5 years)
The experience is EXACTLY what I'm looking for.
Nothing here to steal, unless hacks can jump
an air gap firewall....(ha ha).... I'm quite
certain it's going to be FUN!

Maybe, just maybe, this is something that the
GENTOO DOCS should be addressing??????????

All input is most welcome.

cheers,
James
 
Old 11-08-2010, 08:01 PM
Kyle Bader
 
Default DNSSEC

> Nothing here to steal, unless hacks can jump
> an air gap firewall....(ha ha)....

Sorry to go off on a tangent but I couldn't help pointing out a common
misconception: you don't need to worry about security because you
assume you don't have anything worth protecting. A machine with
internet access alone is an asset that many adversaries would be happy
to abuse.

--

Kyle
 
Old 11-08-2010, 08:33 PM
Stroller
 
Default DNSSEC

On 8/11/2010, at 9:01pm, Kyle Bader wrote:

>> Nothing here to steal, unless hacks can jump
>> an air gap firewall....(ha ha)....
>
> Sorry to go off on a tangent but I couldn't help pointing out a common
> misconception: you don't need to worry about security because you
> assume you don't have anything worth protecting. A machine with
> internet access alone is an asset that many adversaries would be happy
> to abuse.

James doesn't actually say where he's located, but assuming he's in a similar situation to most of us: I understood that unix boxes with only a domestic broadband internet connection were now considered extremely low-value to hackers.

If one only needs a compromised box with a domestic broadband internet connection then one can seed dodgy movie files on Rapidshare or whatever, and obtain multiple compromised Windows boxes far more easily than a single Linux box.

I would imagine that there are plenty of poorly configured rented servers and virtual hosts in datacentres, on the other hand, which would be far more attractive.

Stroller.
 

Thread Tools




All times are GMT. The time now is 12:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org